Statutes, codes, and regulations
Iowa Administrative Code
Agency 641 - PUBLIC HEALTH DEPARTMENT
Chapter 154 - MEDICAL CANNABIDIOL PROGRAM
Rule 641-154.76 - Security requirements

Iowa Admin. Code r. 641-154.76

Download
PDF
Current through Regsiter Vol. 46, No. 26, June 12, 2024
Rule 641-154.76 - Security requirements

The department may request assistance from the department of public safety in ensuring a laboratory meets the security requirements in this rule.

(1)Security policy requirement. A laboratory shall maintain a security policy to prevent the loss, theft, or diversion of medical cannabis goods and samples. The security policy shall apply to all staff and visitors at a laboratory facility.
(2)Visitor logs. Visitors to a laboratory facility shall sign visitor manifests with name, date, and times of entry and exit, and shall wear badges that are visible at all times and that identify them as visitors.
(3)Restricted access. A laboratory shall use a controlled access system and written manifests to limit entrance to all restricted access areas of its laboratory facility and shall retain a record of all persons who entered the restricted access areas.
a. The controlled access system shall do all of the following:
(1) Limit access to authorized individuals;
(2) Maintain a log of individuals with approved access, including dates of approvals and revocations;
(3) Track times of personnel entry;
(4) Track times of personnel movement between restricted access areas;
(5) Store data for retrieval for a minimum of one year; and
(6) Remain operable in the event of a power failure.
b. Separate written manifests of visitors to restricted areas shall be kept and stored for a minimum of one year if the controlled access system does not include electronic records of visitors to the restricted areas.
c. A laboratory shall promptly, but no later than five business days after receipt of request, submit stored controlled access system data to the department.
(4)Personnel identification system. A laboratory shall use a personnel identification system that controls and monitors individual employee access to restricted access areas within the laboratory facility and that meets the requirements of this subrule and subrule 154.76(2).
a. Requirement for employee identification card. An employee identification card shall contain:
(1) The name of the employee;
(2) The date of issuance;
(3) An alphanumeric identification number that is unique to the employee; and
(4) A photographic image of the employee.
b. A laboratory employee shall keep the identification card visible at all times when the employee is in the laboratory.
c. Upon termination or resignation of an employee, a laboratory shall immediately:
(1) Revoke the employee's access to the laboratory; and
(2) Obtain and destroy the employee's identification card, if possible.
(5)Video monitoring and surveillance.
a.Video surveillance system. A laboratory shall operate and maintain in good working order a video surveillance system for its premises that operates 24 hours per day, seven days a week, and visually records all areas where medical cannabis goods are stored or tested.
b.Camera specifications. Cameras shall:
(1) Capture clear and certain identification of any person entering or exiting a restricted access area containing medical cannabis goods;
(2) Have the ability to produce a clear, color still photograph live or from a recording;
(3) Have on all recordings an embedded date-and-time stamp that is synchronized to the recording and does not obscure the picture; and
(4) Continue to operate during a power outage.
c.Video recording specifications.
(1) A video recording shall export still images in an industry standard image format, such as jpg, .bmp, or .gif
(2) Exported video shall be archived in a format that ensures authentication and guarantees that the recorded image has not been altered.
(3) Exported video shall also be saved in an industry standard file format that can be played on a standard computer operating system.
(4) All recordings shall be erased or destroyed at the end of the retention period and prior to disposal of any storage medium.
d.Additional requirements. A laboratory shall maintain all security system equipment and recordings in a secure location to prevent theft, loss, destruction, corruption, and alterations.
e.Retention. A laboratory shall ensure that 24-hour recordings from all video cameras are:
(1) Available for viewing by the department upon request;
(2) Retained for a minimum of 60 days;
(3) Maintained free of alteration or corruption; and
(4) Retained longer, as needed, if a manufacturer is given actual notice of a pending criminal, civil, or administrative investigation, or other legal proceeding for which the recording may contain relevant information.
(6)Chain-of-custody policy and procedures. A laboratory shall maintain a current chain-of-custody policy and procedures. The policy should ensure that:
a. Chain of custody is maintained for samples which may have probable forensic evidentiary value; and
b. Annual training is available for individuals who will be involved with testing medical cannabis goods.
(7)Information technology systems security. A laboratory shall maintain information technology systems protection by employing comprehensive security controls that include security firewall protection, antivirus protection, network and desktop password protection, and security patch management procedures.

Iowa Admin. Code r. 641-154.76

Adopted by IAB June 6, 2018/Volume XL, Number 25, effective 7/11/2018